The recent New York Times report on Walmart de Mexico’s alleged practice of bribing Mexican officials in the superstore’s effort to expand in the country shined yet another spotlight on an important issue for companies doing business overseas: what is and isn’t considered bribery throughout the world.
How can a company comply with federal law, namely the Foreign Corrupt Practices Act (FCPA), which governs business practices abroad? Walmart is not alone on the list of multinational companies facing government investigation for alleged bribery practices. In fact, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) are picking their battles strategically, targeting entire industries in broad sweeps and making examples out of prominent players in order to set the tone. In the midst of this re-invigorated era of FCPA enforcement, the DOJ and SEC recently released an extensive and long-awaited “Resource Guide” to the FCPA, which provides insight to the government’s thinking on what comprises unlawful conduct. It is a must-read and an important one-stop reference to the statute that can provide helpful guidance for companies doing business overseas.
While the guidance didn’t break too much new ground in the area, it does contain useful hypotheticals, checklists and case studies that showcase certain behaviors that trigger DOJ and SEC scrutiny. However, some areas are either maddeningly opaque or deliberately vague.
For example, with respect to gifts and entertainment expenditures, the guidance points out that a $10,000 meal would be considered “unreasonable,” but the government would be unlikely to investigate “cups of coffee.” However, it provides no advice as to what is “reasonable” in between the two—the area over which most compliance officers are most likely to lose sleep.
Despite its shortcomings, the guidance still offers key insight into the government’s FCPA enforcement theory, and compliance officers and management should use it as a lens through which they design, implement and monitor their compliance programs. Below are some tips and advice gathered from the guidance:
Tailoring for the Best Fit. A one-size-fits-all compliance program will likely be inefficient and ineffective, both in preventing violations as well as in persuading the government not to prosecute.
Risk Assessment. Risk assessment is “fundamental to developing a strong compliance program.” Companies should focus compliance resources on high-risk, high-value transactions; if necessary, at the expense of low-risk areas. Compliance officers should consider the following factors:
- Country: Certain countries present higher corruption risks than others.
- Industry: Emerging markets and state-owned or -controlled industries present inherent risks.
- Government Involvement: The more layers of government regulation and oversight, the higher the risk.
- Business Opportunity: The higher the value, the higher the risk of both corruption and detection.
- Potential Business Partners: Liability can be traced back to a company if its compliance program fails to prevent, detect, or correct violations; due diligence is a must.
Culture. Commitment from senior management, autonomy and authority for compliance officers, and consistent and integrated incentives and disciplinary measures all help create a top-to-bottom culture of ethics and compliance throughout the organization.
Ongoing Training and Monitoring. Once a program is in place, everyone—from executives to relevant employees to agents—should be trained periodically, and ideally training should be tailored specifically to their job functions. Transactions and business units should be regularly tested and audited.
Investigation. Companies should have a confidential and retaliation-free mechanism for employees to report suspected or actual misconduct (e.g., a hotline). Companies should also have “an efficient, reliable and properly funded process” in place for investigating such allegations and documenting remedial actions.
Due Diligence: Assess Your Risk and Be Prepared to Clean Up After Yourself
The DOJ and SEC guidance reminds compliance officers that even the most ethical of companies can inherit or take on FCPA risk when they engage third parties or acquire another company, making due diligence prior to such transactions crucial. Where pre-transaction diligence fails to detect FCPA problems, swift post-engagement or post-acquisition remediation is an absolute must to mitigate FCPA liability. Before engaging with third parties (distributors, consultants, or other intermediaries) companies should consider the following:
Business Rationale. Ensure that the both sides understand the scope of the project, and clearly describe in the contract the tasks to be performed by the third party.
Payment Terms. Compare proposed payment terms to industry norms, and ensure that “the third party is actually performing the work for which it is being paid and that its compensation is commensurate with the work being provided.”
Associations with Government Officials. Unusually close relationships, such as exceedingly long working histories or family ties, are red flags that warrant further scrutiny.
Integration of Compliance Policies. The third party should agree to participate in the company’s anti-corruption training, as well as periodic monitoring such as audits and updated compliance certification.
If an acquisition is made, thorough pre-acquisition and post-acquisition diligence is a must. The acquiring company should elicit information on, among other things, the following topics:
International Business Operations. Identify the international markets where the target conducts business, and determine whether any of these markets have high corruption risks.
Industries. Assess whether the target is involved in any industries that are vulnerable to corruption or heavily regulated by foreign governments.
Customers. Identify any customers that may be deemed foreign officials and review customer contracts.
Third-Party Practices. Examine the target’s various third-party relationships and review third-party contracts. Determine whether the target conducts due diligence prior to entering into third-party relationships. Also inspect the third-party’s financials for questionable entries, and determine whether the target has appropriate anti-corruption policies and procedures and whether employees have been adequately trained.
Post-acquisition. The acquiring company should promptly and completely integrate the target company into its compliance program. This should include training new employees, re-evaluating inherited third party relationships and auditing new business units. If any improper conduct is found post-acquisition, the acquirer should immediately stop the bribery or conduct, retrain affected business units, audit the target company’s books and financials, and consider whether to self-report.
The FCPA Guidance is not perfect, but it can be a useful resource for companies, compliance officers, and practitioners alike. Its issuance should encourage companies to re-assess their existing compliance programs and update them accordingly.
Patrick J. O’Toole, Jr. is partner, and Caroline K. Simons and Jaclyn Essinger are associates, at the Boston office of international law firm Weil, Gotshal & Manges.
The author is solely responsible for the content.
Meet Boston's coolest, smartest and most dynamic founders in our REEL Innovators video series!